This isn't valid. ... View more

Yep.. true. Its just once in a week. Its like we are utilising the splunk resource for the search but not making use of it. But, it still works the way we wanted it to work 🙂 I tried to run this condition separately in a subsearch to avoid running the entire search, it worked for few days before it stopped working recently, not sure if version upgrade or something caused it. [| makeresults | eval biweekly_cycle_start=1726977600, biweekly=round(((relative_time(now(),"@d")-biweekly_cycle_start)/86400),0)%14 | where biweekly=0] It would be smooth if there's a way similar to this. ... View more

@prakashbhanu407 @woodcock  This works too.. maybe you can use for the future requirement, I had a similar requirement, and I solved it using a combination of a cron schedule and a condition in the search query. It's just two steps, first to setup a weekly schedule and then a condition to return result only once every two weeks. Set up weekly cron schedule. For example, to run at 6 p.m.  on every Sunday, use: 0 18 * * 0 Add the following condition to your search query, placing it where the query runs efficiently without affecting the final output: | eval biweekly_cycle_start=1726977600, biweekly=round(((relative_time(now(),"@d")-biweekly_cycle_start)/86400),0)%14 | where biweekly=0 In this example, I introduced a reference epoch time, biweekly_cycle_start, to calculate the two-week cycle. It represents the epoch time for two weeks before the alert schedule's starting date. For instance, if your schedule begins on October 6, 2024, use the epoch time for the start of the day, September 22, 2024, which is 1726977600. Each time the alert runs, the condition checks whether two weeks have passed since the last run. It returns results every two weeks and no results on the off week (seven days from the previous run). Simply insert this condition where it will optimize the search performance, before the final transforming commands like stats, top, table, etc. ... View more

@kzkk  You would have found an alternate way but this maybe useful in the future, I had a similar requirement, and I solved it using a combination of a cron schedule and a condition in the search query. It's just two steps, first to setup a weekly schedule and then a condition to return result only once every two weeks. Set up weekly cron schedule. For example, to run at 6 p.m.  on every Sunday, use: 0 18 * * 0 Add the following condition to your search query, placing it where the query runs efficiently without affecting the final output: | eval biweekly_cycle_start=1726977600, biweekly=round(((relative_time(now(),"@d")-biweekly_cycle_start)/86400),0)%14 | where biweekly=0 In this example, I introduced a reference epoch time, biweekly_cycle_start, to calculate the two-week cycle. It represents the epoch time for two weeks before the alert schedule's starting date. For instance, if your schedule begins on October 6, 2024, use the epoch time for the start of the day, September 22, 2024, which is 1726977600. Each time the alert runs, the condition checks whether two weeks have passed since the last run. It returns results every two weeks and no results on the off week (seven days from the previous run). Simply insert this condition where it will optimize the search performance, before the final transforming commands like stats, top, table, etc. ... View more

@geninf5 @gcusello  I had a similar requirement, and I solved it using a combination of a cron schedule and a condition in the search query. It's just two steps, first to setup a weekly schedule and then a condition to return result only once every two weeks. Set up weekly cron schedule. For example, to run at 6 p.m.  on every Sunday, use: 0 18 * * 0 Add the following condition to your search query, placing it where the query runs efficiently without affecting the final output: | eval biweekly_cycle_start=1726977600, biweekly=round(((relative_time(now(),"@d")-biweekly_cycle_start)/86400),0)%14 | where biweekly=0 In this example, I introduced a reference epoch time, biweekly_cycle_start, to calculate the two-week cycle. It represents the epoch time for two weeks before the alert schedule's starting date. For instance, if your schedule begins on October 6, 2024, use the epoch time for the start of the day, September 22, 2024, which is 1726977600. Each time the alert runs, the condition checks whether two weeks have passed since the last run. It returns results every two weeks and no results on the off week (seven days from the previous run). Simply insert this condition where it will optimize the search performance, before the final transforming commands like stats, top, table, etc. ... View more

Yep you are right, I wasn't thinking about that. We can still use the following, | streamstats count as Rank | delta Score as Diff | eval Rank=if(Diff=0,null,Rank) | filldown | fields - Diff ... View more

If you want to avoid using 2 streamstats you shall try this way, | streamstats count as Rank | delta Score as Diff | eval Rank=if(Diff=0,Rank-1,Rank) | fields - Diff And with 2 streamstats you shall try this so to avoid 1 extra filldown command, | streamstats count as Rank | streamstats window=2 range(Score) as range | eval Rank=if(Rank=1 OR range != 0, Rank, Rank-1) ... View more

Yes, the result would be the same whenever it runs but I would prefer it to execute only after the user click on Submit button.  ... View more

Sorry it didn't help. I have done a similar way as on the sample. I would like to find out what's wrong with what I have here. Appreciate your help @gcusello ! ... View more

Is there a different method when its on base search? ... View more

This solution didn't work. Basically it runs on all the days of the month from 1-7 and on all the Mondays. ... View more